Tech Security Update: Powerpoint Malware Distribution

Submitted by bhall on September 6, 2017 - 7:53am

Brandon HallDirector of Technology

It has come to my attention that there is an active malware campaign utilizing .PPSX type files, which is a powerpoint slide show extension. The most common file type is .PPT which is just a powerpoint presentation. These to my knowledge are not affected yet. The malware distributor is taking advantage of a Microsoft “workaround” they put in place that bypasses certain security features which actually allows these types of scripts to run without being checked by security software. Why this was ever an accepted workaround for something I don’t know, but that is the case. There is no actual fix for the original workaround, so powerpoint users be extra careful in opening presentations, especially .PPSX files and even from people you know. Call the number you have on file for the person that sent you the powerpoint and verify they actually sent it to you.

Ramifications:
When the .PPSX file is opened, the program downloads an additional file, runs a command, which runs a powershell script, that gives control of your machine to a remote malicious user. From there, the user can do whatever they like to your machine, watch the screen, capture what you type in, download files from you, etc.

If you receive something you would like me to look at, please just send it over and I’m happy to help. If I hear that this issue has been fixed by Microsoft, I’ll let you know.